The Hacker News — Cyber Security, Hacking, Technology News

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.

Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems.

Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.

Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.

CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.

CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware

Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on and then installs itself accordingly.

Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.

Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.

CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.

As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to 'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.

CrossRAT Includes Inactive Keylogger Module

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.

Interestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.

"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete," Patrick said.

How to Check If You're Infected with CrossRAT?

Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.

If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

For macOS:

Check for jar file, mediamgrs.jar, in ~/Library.

Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

For Linux:

Check for jar file, mediamgrs.jar, in /usr/var.

Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.

How to Protect Against CrossRAT Trojan?

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.

"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java," Patrick said.

"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra)."

Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack.

And for this reason, Oracle is now paying the price.

Oracle has been accused by the US government of misleading consumers about the security of its Java software.

Oracle is settling with the Federal Trade Commission (FTC) over charges that it "deceived" its customers by failing to warn them about the security upgrades.

Java is a software that comes pre-installed on many computers and helps them run web applications, including online calculators, chatrooms, games, and even 3D image viewing.

Oracle Left Over 850 Million PCs at Risk

The FTC has issued a press release that says it has won concessions in a settlement with Oracle over its failure to uninstall older and insecure Java SE software from customer PCs upon the upgrade process, which left up to 850 Million PCs susceptible to hacking attacks.

However, the company was only upgrading the most recent version of the software and ignoring the older versions that were often chock full of security loopholes that could be exploited by hackers in order to hack a targeted PC.

Oracle is Now Paying the Price

So, under the terms of the settlement with Oracle, announced by the FTC on Monday, Oracle is required to:

Notify Java customers about the issue via Twitter, Facebook, and its official website

Provide tools and instructions on how to remove older versions of Java software

Oracle has agreed to the settlement that is now subject to public comment for 30 days, although Oracle declined to comment on its part.

Meanwhile, the FTC wants Java users to know that if they have older versions of the software. Here is the website that will help you remove them: java.com/uninstall.

A New York-based online ad network company AppNexus, that provides a platform specializing in real-time online advertising, has again been spotted as the origin of a recent "malvertising" campaign that makes use of the Angler Exploit Kit to redirect visitors to malicious websites hosting the Asprox malware.

AppNexus servers process 16 billion ad buys per day, making it the biggest reach on the open web after Google. Back in May, AppNexus was serving malicious ads targeting Microsoft’s Silverlight platform. The world’s largest Internet Video Subscription service Netflix runs on Silverlight, and because of its popularity, hackers have been loading exploit kits with Silverlight.

As part of this campaign, users of several high-profile websites including Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl, last week were redirected to websites serving malicious advertisements that infected visitors by installing botnet malware on their computer, said security company Fox-IT.

“These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware,” researchers at Fox-IT said in a blog post.

Angler exploit kits are available on the underground black forums and are used in various malicious campaigns to own websites and redirect users off to websites hosting banking malware and other types of malicious code in order to victimize them.

“Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser,” researchers warned.

According to the Researchers, Angler first checks whether the victim’s browser supports an outdated versions of Java, Adobe Flash Player or Microsoft Silverlight, and then silently install a variant of the Asprox botnet malware.

Asprox is generally a spam botnet that was involved in multiple high-profile attacks on various websites in order to spread malware. The malware recently has been modified for click-fraud and cyber criminals are using it to spread malware through email attachments with exploit kits. It also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.

“Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.”

Once visited on a site hosting the malicious ad, users are redirected in the background to ads[.]femmotion[.]com, which then redirects to the exploit kit on a number of other domains, the gloriousdead[.]com and taggingapp[.]com.

“All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.”

In order to show targeted advertisements to users, advertisers engage in an automatic, real-time bidding process, which makes malicious advertisements more difficult to track. “In the case of this malvertising campaign the malicious advertisers were the highest bidders,” Fox-IT says.

Hackers used a method called “retargeting”, which is actually used by Digital Advertising agencies to rotate the ads shown to the same visitor when they access a specific page multiple times.

“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT researchers said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.”

If you came across any suspicious Facebook message with ‘LOL’ text or a fake Image file send by any of your Facebook friend, avoid clicking it. A Trojan horse is currently circulating in wild through the Facebook social network that could steal your Facebook account data and Credentials.

Security researchers spotted this malware campaign first in the beginning of March this year, where the Trojan spreads itself through the Facebook’s Messenger service (inbox) by messaging a victim pretending to be one of their friends saying "LOL" with a zip file attached, which appears to be a photo, named "IMG_xxxx.zip".

In Past two weeks, many of our readers informed us that they received similar ZIP files from their trusted Facebook friends. The Hacker News team also noticed that despite after several warnings in media, once again the malware campaign just goes viral like any other video scam, but this time directly through users’ inbox-to-inbox.

HOW DOES TROJAN CAMPAIGN SPREADS

Facebook User receives a file directly into the inbox from one of the trusted friends, appears to be a photo, named 'IMG_xxxx.zip' with messages ‘LOL’, OMG,"Have a look at this" ,"I can't believe someone posted this"

The User downloads the file, assuming it to be from trusted friend and unzip it on desktop.

The Zip file contains a jar file called 'IMG_xxxx.jar' which executes when the user click it.

The Jar file itself is not a virus, but a malware agent, which actually download a file remotely from a pre-defined Dropbox account (as shown in the code).

Once downloaded, it installs the malware as a service on the victim's system.

Then it spread itself further to his Facebook Friends by sending similar malicious message automatically in the background.

To evade detection, the malware injects itself into legitimate processes currently running on the victims’ system. This way the malware campaign is spreading like a chain reaction rapidly from last few weeks.

ARE YOU AFFECTED?

To check if you have fall a victim to this attack and have opened any such file sent by your trusted friend, scan your whole system using a reputed antivirus solution and just to be on a safer side change your Facebook account password.

Researchers found the malware as a variant of the Zusy Trojan, which operates by hooking into web browsers in order to steal credit card number or password and send it to the remote malware author.

HOW TO PROTECT?

Before opening any such file, ask the sender if the file is prior to download or not. If they deny, Simply DO NOT DOWNLOAD it.

Cyber criminals have discovered yet another method to utilize the world’s most popular social networks for their own beneficial purposes, and because Facebook has become one of the most popular social networking website with more than one billion active users this year, it serves as a vast platform for scammers and cyber criminals to spread malware or virus infections. So, protect yourself from the threats - Stay Tuned to 'The Hacker News'.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

These days botnets are all over the news. In simple terms, a botnet is a group of computers networked together, running a piece of malicious software that allows them to be controlled by a remote attacker.

A major target for most of the malware is still Windows, but the growing market of Mac OS X, Linux and Smartphones, is also giving a solid reason to cyber criminals to focus.

Last year, Zoltan Balazs - CTO at MRG Effitas submitted the samples of malicious Java application for analysis to Kaspersky Lab and they identified it as HEUR:Backdoor.Java.Agent.a.

According to researchers, to compromise computers, Java-Bot is exploiting a previously known critical Java vulnerability CVE-2013-2465 that was patched in last June. The vulnerability persists in Java 7 u21 and earlier versions.

Once the bot has infected a computer, for automatic initialization the malware copies itself into the home directory, and registers itself with system startup programs. The Malware is designed to launch distributed denial-of-service (DDOS) attacks from infected computers.

It uses the following methods to start it based on the target operating system:

The malware authors used Zelix Klassmaster Obfuscator (encryption) to make the analysis more difficult. It creates a separate key for the classes developed due to which analysis of all classes has to be done to get the decryption keys.

The botnet executable contains an encrypted configuration file for the Mac OS 'launchd service'. It also encrypts internal working methodology of malware.

The malware uses PricBot an open framework for implementing communication via IRC. Zombie computers, then report to an Internet relay chat (IRC) channel that acts as a Command-and-control server.

The Botnet supports HTTP, UDP protocols for flooding (DDoS attack) a target whose details i.e. Address, port number, attack duration, number of threads to be used are received from the IRC channel.

Users should update their Java software to the latest release of Java 7 update 51 of 14 January 2014, can be found on Oracle's Java website. The next scheduled security update for Java is on 14 April 2014.

Takashi Katsuki, a researcher at Antivirus firm Symantec has discovered a new cyber attack ongoing in the wild, targeting an open-source Web server application server Apache Tomcat with a cross platform Java based backdoor that can be used to attack other machines.

The malware, dubbed as "Java.Tomdep" differs from other server malware and is not written in the PHP scripting language. It is basically a Java based backdoor act as Java Servlet that gives Apache Tomcat platforms malicious capabilities.

Because Java is a cross platform language, the affected platforms include Linux, Mac OS X, Solaris, and most supported versions of Windows. The malware was detected less than a month ago and so far the number of infected machines appears to be low.

You may think that this type of attack only targets personal computers, such as desktops and laptops, but unfortunately that isn’t true. Servers can also be attacked. They are quite valuable targets, since they are usually high-performance computers and run 24x7.

Java worm seeks out for the system having Apache Tomcat installed-running and then attempts to log-in using the password brute-force attack using combinations of user names and passwords.

After installation, the malware servlet behaves like an IRC Bot and able to receive commands from an attacker. Malware is capable of sending-downloading files from the system, create new processes, update itself, can setup SOCKS proxy, UDP flooding i.e. Can perform massive DDoS Attack.

They have mentioned that the command-and-control servers have been traced to Taiwan and Luxembourg. In order to avoid this threat, ensure that your server and AV products are fully patched and updated.

The same ring of hackers that are responsible for hacking into at least 40 companies including Facebook and Twitter are reportedly also infected the computers of some Apple employees, the company acknowledged Tuesday.

The purpose of hack considered an effort to steal company secrets, research and intellectual property that they can sell. Investigators tracked at least one server being used by the hacker ring to a hosting company in the Ukraine.

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers," the company said in its statement. "The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network."

Apple isolated the infected systems from its network and said there was no indication that any data had been taken. Apple is releasing a tool that scans Macs and removes the Java malware. Oracle has also released an update to Java that fixes the vulnerability.

In addition to the Java update, Apple has rolled out version 11.0.2 of iTunes via Software Update.